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In  an  effort  to  reduce  costs  and  time  to  deploy 
mission  capable  unmanned  aerial  vehicles  (UAV), 
the  Department  of  Defense  (DoD)  has  transitioned 
smart  devices  into  the  battlefield  as  portable,  hand¬ 
held  UAV  ground  control  stations  (GCS)  without 
adequate  cybersecurity  protection.  While  a  number 
of  threat  model  approaches  have  been  published, 
they  are  outdated  and  fail  to  evaluate  a  complete 
system.  This  article  develops  a  holistic  threat  model 
that  analyzes  the  cybersecurity  vulnerabilities 
within  the  communication  network,  smart  device 
hardware,  software  applications,  as  well  as  the 
insider  threat.  Additionally,  this  article  provides  a 
risk-based  threat  profile  of  a  DoD  pilot  UAV  smart 
device  GCS  system.  This  model  will  fill  the  gaps  in 
current  threat  model  approaches,  to  provide  the  DoD 
with  a  tool  to  properly  assess  the  threat  environ¬ 
ment  of  a  UAV  smart  device  GCS,  and  build  layers 
of  security  into  the  system  throughout  the  system 
development  life  cycle. 


Keywords:  acquisitions;  process  improvement:  best  practices; 
- standardisation;  innovation 


A  Publication  of  the  Defense  Acquisition  University 


http://www.dau.mil 


With  the  rapid  advancement  of  technology  and  its  popularity  in  the 
consumer  market,  smart  phones  and  tablets  are  migrating  to  and  chang¬ 
ing  the  way  we  operate  on  the  battlefield.  In  the  past,  the  Department 
of  Defense  (DoD)  has  been  reluctant  to  allow  smart  devices  to  be  used 
in  a  battlefield  environment  without  the  capability  to  provide  secure 
connections  for  classified  communication  (Dalton,  2012).  However,  the 
enhanced  capabilities  and  benefits  of  these  small,  handheld  devices  for 
mission  planning  and  data  sharing  have  persuaded  the  DoD  to  accept  the 
inherent  risks  of  using  improperly  secured  smart  devices  on  the  battle¬ 
field.  In  fact,  a  number  of  these  portable  handheld  UAV  GCS  devices  are 
now  part  of  a  series  of  DoD  pilot  programs  (Pellerin,  2013). 


Background 

UAV  remote  sensors  often  collect  large  amounts  of  data  to  be  sent 
near  real-time  over  a  communication  network  for  interpretation;  how¬ 
ever,  current  secured  legacy  military  communication  networks  cannot 
support  the  large  capacity  needed  to  make  this  effective.  Ultra  High 
Frequency  (UHF)  satellite  communication  networks  have  been  used  to 
support  UAV  communication  network  requirements,  but  availability  is 
limited  only  to  the  highest  priority  users  and  therefore  is  not  always  a 
viable  solution  (Wilcoxson,  2013).  Other  secured  military  wireless  net¬ 
works  may  be  readily  accessible,  but  share  the  same  performance  issues; 
processing  capacity  and  latency  limitations  (Hartman,  Beacken,  Bishop, 
&  Kelly,  2011).  As  a  result,  the  DoD  has  explored  solutions  in  the  private 
sector  to  meet  the  rapidly  evolving  UAV  communication  requirements 
risking  the  use  of  unsecured  networks. 

Commercial  smart  phones  and  tablets  provide  the  high  processing 
capability  needed  to  control  and  process  data  from  UAVs  in  a  compact, 
light-weight,  mobile,  handheld  device.  Using  smart  device  technology 
and  supporting  software  apps,  the  DoD  has  taken  the  functionality  of  a 
traditional  GCS  and  miniaturized  it  into  a  mobile,  portable  smart  device. 
These  apps  provide  near  real-time  avionics  flight  display,  navigation 
systems,  system  health  monitoring  and  prognostics  display,  imagery  and 
position  mapping,  and  data  processing  (Troiani,  2011).  Using  a  Fourth 
Generation  (4G)  Long  Term  Evolution  (LTE)  commercial  wireless  net¬ 
work  solution  provides  a  wide  spectrum  bandwidth,  ranging  from  1.4  to 
20  megahertz  (MHz);  increasing  the  availability  and  options  for  opera¬ 
tional  frequencies  for  deployment.  4G  LTE  also  significantly  reduces 
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latency  issues  and  provides  peak  data  rate  capabilities  that  feature  near 
real-time  data  links  with  minimal  interference  from  the  UAV  remote 
sensors  (Hartman  et  al.,  2011). 


Several  DoD  pilot  programs  have  been  estab¬ 
lished  to  evaluate  the  technical  capabilities  of 
smart  devices  and  demonstrate  a  proof  of  con¬ 
cept  of  the  UAV  smart  device  GCS.  Previous 
research  has  explored  cybersecurity  threats 
to  the  UAV  and  the  traditional  GCS;  however, 
little  research  has  been  done  to  explore  what 
additional  cyber  threats  have  been  encountered 
with  the  use  of  commercially  available  smart  devices 
to  command  and  control  UAVs.  Much  of  the  technology 
and  processes  currently  in  development  to  secure  the 
UAV  smart  device  GCS  system  are  not  accompanied  by 
a  proper  threat  analysis.  Current  threat  model  tools  are 
outdated  and  incapable  of  conducting  a  thorough  threat 
analysis  of  an  information  system  in  its  entirety,  resulting 
in  deploying  inadequately  secured  devices  to  the 
battlefield,  and  increasing  system  and  mission 
risk  (Stango,  Prasad,  &  Kyriazanos,  2009).  Our 
research  presents  a  recommended  approach 
to  conducting  a  threat  model  for  information 
systems.  By  evaluating  the  vulnerabilities  and 
threats  to  a  DoD  UAV  within  the  parameters  of  a 
smart  device  GCS  pilot  program,  both  civilian  and 
military  UAV  communities  can  benefit  from  the  successful  deployment 
of  a  properly  secured  UAV  smart  device  GCS. 


UAV  Smart  Device  Case  Study 

Using  a  combination  of  Yin’s  Case  Study  Research  approaches,  the 
proposed  threat  model  approach  was  developed  to  assess  the  security  of 
the  UAV  smart  device  GCS  (Yin,  2013).  The  first  step  involved  a  docu¬ 
mentation  review  to  assess  the  gaps  in  existing  threat  model  approaches, 
followed  by  interviews  to  assess  gaps  in  current  government  practices 
and  the  effectiveness  of  the  proposed  threat  model.  Lastly,  direct  obser¬ 
vations  of  a  pilot  UAV  smart  device  program  were  conducted  to  assess 
implementation  of  the  proposed  threat  model. 
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Phase  I:  Threat  Model  Gap  Analysis 

The  threat  models  currently  being  used  are  outdated  and  do  not 
reflect  advances  in  technology.  Consequently,  a  number  of  gaps  exist  in 
the  threat  models  being  used  to  protect  information  systems.  Threat 
models  need  to  evolve  with  the  technology  and  the  associated  threats 
(Stango  et  al.,  2009).  The  gaps  in  the  following  sections  address  problems 
we  found  assessing  a  range  of  current  threat  models. 

For  the  past  10  years,  threat  models  have  focused  primarily  on  software 
applications.  This  focus  is  due  in  part  to  system  failures  and  loss  of  data 
caused  by  software  threats,  including  software  viruses  (Di  &  Smith, 
2007).  However,  as  technology  has  advanced  in  information  systems, 
such  as  the  UAV  smart  device  GCS,  threats  are  no  longer  limited  to 
just  software.  Information  systems  today  are  comprised  of  hardware, 
software,  and  communication  networks.  Therefore,  threats  must  be 
evaluated  for  the  complete  Unmanned  Aerial  System  (UAS)  within  one 
single  threat  model  to  ensure  the  UAS  is  secured  as  a  whole. 

Little  has  been  done  in  the  development  of  threat  models  for  hardware 
and  communication  networks,  even  though  the  number  of  attacks  to 
hardware  and  communication  networks  has  increased  signiflcantly  with 
the  advancement  in  technology  and  popularity  of  smart  mobile  devices 
(Wang,  Streff,  &  Raman,  2012).  Current  hardware  and  communica¬ 
tion  threat  models  are  tailored  to  speciflc  systems  or  areas  of  interest. 
Recently,  communication  network  threat  models  have  been  developed 
to  address  security  concerns  in  personal  networks;  network  jamming 
attacks;  mobile  ad  hoc  and  sensor  networks;  and  command,  control,  com¬ 
munications,  computers  and  intelligence  (C4I)  security  threats.  Even 
fewer  hardware  threat  models  have  been  developed,  only  addressing 
hardware  that  has  been  compromised  by  malicious  software  logic  and 
threats  to  storage  systems.  However,  these  areas  of  vulnerabilities  have 
not  been  a  major  concern  for  the  UAV  community.  Therefore,  the  need 
to  improve  upon  these  threat  models  has  not  existed. 

With  the  exception  of  Clark  et  al.  (2007),  threat  models  have  only 
addressed  threats  from  malicious  external  attackers  and  not  the  internal 
threats  and  vulnerabilities  that  can  arise  from  users  or  maintainors  of 
the  system.  While  system  security  is  extremely  important  and  must  be 
maintained,  the  human  factor  is  the  biggest  vulnerability  in  any  system 
and  is  more  critical  than  technology.  Many  of  today’s  security  problems 
are  attributed  to  inadequate  security  awareness  on  the  part  of  users 
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and  maintainers,  yet  the  majority  of  threat  models  do  not  address  the 
internal  human  factors  that  can  compromise  system  security  (Chen, 
Shaw,  &  Yang,  2006). 

A  number  of  threat  model  methodologies  exist;  each  has  been  tailored  to 
fit  the  needs  of  a  specific  user  and/or  area  of  interest.  A  crucial,  but  often 
omitted  step  required  within  a  threat  model  approach  is  a  threat  analysis. 
A  threat  analysis  involves  assessing  the  risk  and  prioritizing  each  threat 
and  then  determining  the  countermeasures  to  enhance  system  security. 
Threat  models  that  fail  to  complete  a  threat  analysis  are  incomplete, 
and  do  not  provide  designers  with  the  information  required  to  properly 
secure  the  system  (Oladimeji,  Supakkul,  &  Chung,  2006). 

Threat  Model  Comparison.  Table  1  introduces  six  published  threat 
models  and  highlights  critical  gaps  in  the  approaches  that  each  describes. 
The  following  discussion  further  elaborates  on  these  models  and  the 
gaps  within  each. 


TABLE  1.  THREAT  MODEL  COMPARISON 
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Risk  analysis 
and  threat 
prioritization 

X 

X 

X 

Identifies  and 
addresses  human 
(inside/external) 
threats 

X 

X 

A  Hardware  Threat  Modeling  Concept  for  Trustable  Integrated 
Circuits  proposes  a  threat  model  approach  to  identifying  hardware 
threats  “to  determine  a  circuit’s  trustability  and  provide  guidance  to 
malicious-logic  checking  tools”  (Di  &  Smith,  2007,  p.  1).  This  threat 
model  is  a  simplified  approach  that  involves  understanding  what  the 
adversary  wishes  to  accomplish  and  possible  entry  points,  as  well  as 
identifying  threats  and  attacks  to  the  digital  integrated  circuits.  While 
the  need  to  determine  the  severity  of  threats  and  attacks  as  discussed, 
the  threat  model  fails  to  identify  a  recommended  approach  rendering 
this  threat  model  approach  to  hardware  incomplete.  While  identify¬ 
ing  threats  is  important  to  the  security  of  device,  this  threat  model 
approach  doesn’t  provide  information  to  make  a  determination  on  how 
to  proceed  forward  with  securing  the  device. 

Threat  Modelling  for  Mobile  Ad  Hoc  Sensors  Networks,  as  demon¬ 
strated  by  Clark  et  al.  (2007),  introduces  a  threat-model  approach 
for  mobile  ad  hoc  networks  and  sensor  networks.  This  threat-model 
approach  characterizes  the  network  system  based  upon  military  opera¬ 
tion  modes  in  peace-time,  transition  to  war,  and  wartime;  recognizing 
the  variations  of  system  context  and  operation  may  impact  the  risk 
decision  making.  Focusing  on  the  adversary,  this  threat  model  attempts 
to  identify  what  capabilities  the  adversary  may  have  that  may  present 
a  threat  to  the  communication  network.  Based  upon  the  operational 
environment  and  adversary  capabilities  threats  to  the  network  commu¬ 
nications,  infrastructure  and  services,  physical  nodes  and  people  are 
identified.  This  threat  model  addresses  a  need  for  a  risk-management 
approach  to  make  a  determination  for  what  threats  pose  the  greatest 
risk  and  an  approach  to  addressing  those  threats.  The  threat  model, 
however,  fails  to  identify  or  even  mention  the  need  for  countermeasures. 

Oladimeji  et  al.  (2006),  in  their  Security  Threat  Modeling  and  Analysis; 
A  Goal-Oriented  Approach,  uses  a  negative  softgoal  or  N-softgoal 
approach  to  identify  threats  to  software  applications.  This  simpli¬ 
fied  threat-model  approach  defines  security  objectives  for  the  system. 
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identifies  software  threats,  analyzes  threats  and  their  associated  risks, 
and  provides  a  mitigation  plan  for  countermeasures.  This  approach  is 
effective  for  addressing  software  applications  only. 

Enhanced  C4I  Security  Using  Threat  Modeling  identifies  a  threat-mod¬ 
eling  approach  to  C4I  systems  to  protect  sensitive  military  information 
being  exchanged  between  information  systems  (Alghamdi,  Hussain,  & 
Faraz  Kahn,  2010).  The  threat-model  approach  utilizes  a  variation  of  the 
negative  softgoals  approach  described  earlier  in  conjunction  with  the 
use  of  existing  DoD  architecture  framework  (DoDAF)  artifacts.  DoDAF 
operational  view  and  system  view  diagrams  are  used  to  decompose  and 
identify  the  operational  needs  of  the  system,  interconnections,  boundar¬ 
ies,  scope,  interfaces,  entry  and  exit  points,  access  points,  attack  points, 
and  need  lines.  Using  N-softgoal  trees,  threats  and  countermeasures  to 
the  system  are  identified  based  upon  breaches  to  confidentiality,  integ¬ 
rity,  and  availability  security  principles.  The  threat-model  approach 
vaguely  addresses  the  hardware  threats,  focusing  primarily  on  the  com¬ 
munication  network.  While  the  threat  model  identifies  countermeasures 
for  each  system  threat,  the  threat  model  fails  to  address  a  risk-analysis 
approach,  thereby  giving  the  impression  that  each  mitigation  technique 
or  countermeasure  should  be  implemented.  Implementation  of  each 
countermeasure  will  not  only  drive  up  significant  costs  to  the  program 
but  it  may  also  impact  the  overall  performance  of  the  system. 

Cyber  Security  Threat  Analysis  and  Modeling  of  an  Unmanned  Aerial 
Vehicle  System  is  intended  to  provide  a  threat  model  approach  for  a  tra¬ 
ditional  UAV  system;  however,  the  threat-model  approach  focuses  mainly 
on  the  communication  link  between  the  UAV  and  the  traditional  GCS 
(Javaid,  Sun,  Devabhaktuni,  &  Alam,  2012).  The  threat  model  identifies 
threat  attacks  to  the  confidentiality,  integrity,  and  availability  of  the  com¬ 
munication  network,  with  mere  acknowledgement  of  software  threats 
to  the  UAV  and  GCS.  A  risk  analysis  is  conducted  of  the  communication 
network  using  flight  simulation  software;  however,  the  approach  fails  to 
identify  countermeasures  and  a  mitigation  plan.  While  the  threat  model 
discusses  the  components  of  the  UAV  system  for  background  purposes, 
it  is  not  considered  part  of  the  threat  model  and  therefore  may  explain 
why  the  complete  system  is  not  assessed. 

Threat  modeling  is  a  powerful  tool  that  is  critical  to  a  system’s  security 
if  used  properly  by  the  security  team.  Threat  models  provide  the  founda¬ 
tion  on  which  threats  will  be  identified,  addressed,  and  mitigated.  Table  1 
identifies  the  gaps  that  exist  within  current  threat  models.  Our  proposed 
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threat-model  approach  is  the  first  research-based  model  that  addresses 
the  UAV  smart  device  GCS  while  also  addressing  existing  gaps  in  threat 
models  and  government  security  practices.  This  robust  threat  model  for 
the  UAV  smart  device  GCS  will  fill  the  gaps  identified  in  current  threat 
models  and  improve  on  existing  techniques  by  addressing  threats  to  all 
areas  of  an  information  system  (hardware,  software,  communication 
network,  and  people),  and  conducting  a  thorough  threat  analysis  by 
completing  a  risk  assessment  and  providing  countermeasures  for  the 
threats  identified. 

The  threat  model  should  be  implemented  throughout  the  system  devel¬ 
opment  life  cycle  and  other  government  processes  to  enhance  the 
security  of  the  UAV  smart  device  GCS.  Identified  threats  that  pose  the 
greatest  risk  must  be  addressed  in  the  UAS’s  security  requirements, 
since  those  risks  cannot  be  allowed  to  manifest  if  system  security  is 
to  be  ensured.  This  will  help  ensure  security  is  built  into  the  system, 
making  both  the  government  and  defense  contractors  responsible  for 
implementing  the  overall  security  of  the  device.  The  system  design, 
accordingly,  is  influenced  by  the  countermeasures  implemented  to  mit¬ 
igate  threats  to  the  system  (Myagmar,  Lee,  &  Yurcik,  2005).  Security 
testing  is  conducted  based  on  threat  analysis  to  ensure  that  the  final 
UAV  smart  device  GCS  system  will  be  protected  from  the  threats  iden¬ 
tified  prior  to  deployment  and  to  prevent  attacks  once  the  UAV  smart 
device  GCS  system  is  fielded  (Wang  et  al.,  2012).  Once  the  system  is 
deployed,  the  threat  model  will  need  to  be  updated  to  reflect  the  chang¬ 
ing  threat  environment  and  changes  to  the  UAV  GCS  and  the  UAS. 
These  are  made  to  ensure  that  system  security  is  maintained. 


Poorly  written  security  requirements  that  fail 
to  hold  the  program  manager  or  the  defense 
contractor  accountable  for  implementation  of 
specific  security  parameters  will  be  outweighed 
by  costs,  resources,  mission  requirements,  time 
constraints  and  politics  to  meet  the  program 
schedule. 


248 


Defense ARJ,  April 201S,  Vol.  22 No.  2. 840-873 


April  2015 


Phase  II:  Conduct  Interviews 

Security  gaps  in  government  systems.  Cybersecurity  has  become  a 
major  focus  for  both  the  defense  and  commercial  industries  due  to  the 
growing  number  of  publicized  cybersecurity  breaches  to  both  industries. 
While  the  government  is  making  strides  to  address  cybersecurity  in  both 
the  workplace  and  battlefield,  we  must  first  understand  where  the  gaps 
exist.  Thirty  information  assurance  and  cybersecurity  subject  matter 
experts  in  areas  of  policy,  certification  and  accreditation,  design,  imple¬ 
mentation,  and  test  evaluation  were  interviewed  to  evaluate  the  existing 
gaps  in  the  DoD  processes  for  cybersecurity.  This  group  exposed  trends 
and  showed  existing  gaps  in  policy,  personnel,  and  threat  models. 

Security  policies  have  been  written  vaguely  and  are  often  open  for  inter¬ 
pretation.  Implementation  of  these  policies  has  been  at  the  discretion 
of  the  program  managers  who  may  not  completely  understand  what 
is  required,  and  therefore  fail  to  dedicate  the  personnel  and  financial 
resources.  Poorly  written  security  requirements  that  fail  to  hold  the 
program  manager  or  the  defense  contractor  accountable  for  imple¬ 
mentation  of  specific  security  parameters  will  be  outweighed  by  costs, 
resources,  mission  requirements,  time  constraints,  and  politics  to  meet 
the  program  schedule.  Once  the  system  reaches  information  assurance 
accreditation  and  certification,  the  system  design  is  complete  and  ready 
for  deployment.  The  cost  to  address  the  security  of  a  deployment-ready 
system  is  significantly  higher  than  at  the  start  of  the  program.  As  a  result, 
the  program  manager  will  most  often  be  forced  by  schedule  constraints 
to  accept  the  security  risks  to  meet  the  program  schedule,  budget  con¬ 
straints,  and  warfighter  need. 

Information  assurance  and  cybersecurity  expertise  over  the  years  has 
been  synonymous  with  security  policies,  accreditation,  and  certifica¬ 
tion;  however,  programs  need  cybersecurity  subject  matter  experts 
that  are  also  knowledgeable  about  the  system  (hardware,  software,  and 
communication  networks),  systems  engineering,  and  test  and  evalu¬ 
ation  processes.  Ideally,  security  teams  with  this  expertise  will  help 
to  ensure  all  components  of  the  system  have  been  properly  secured 
and  addressed  throughout  the  entire  system  development  life  cycle. 
However,  the  resources  and  personnel  to  support  each  respective  pro¬ 
gram  are  often  limited  or  not  available.  Accountability  for  properly 
securing  the  system  has  been  the  sole  responsibility  of  the  government; 
the  government  must  sufficiently  address  the  security  of  the  system  in 
the  requirements  section  of  the  contract  to  enforce  shared  responsibility 
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with  defense  contractors.  This  will  help  to  build  security  into  the  sys¬ 
tem  and  fill  the  personnel  gaps  and  expertise  that  currently  exist  within 
the  government. 

While  threat  models  are  being  used  by  the  DoD  to  evaluate  cyberse¬ 
curity  vulnerabilities  to  military  systems,  no  standard  approach  for 
threat  modeling  exists.  Every  program  has  a  different  perspective  and 
definition  of  what  a  threat  model  is  and  how  it  is  used.  Threat  models 
are  often  classified  because  of  the  type  of  data  they  collect  (e.g.,  threats 
and  vulnerabilities).  As  a  result,  threat  models  are  frequently  classified 
and  not  stored  at  operating  locations  and  development  sites,  limiting 
their  value  to  the  program.  This  critical  data,  however,  should  be  made 
available  as  a  tool  for  both  the  program  manager  and  the  security  team 
to  address  the  cybersecurity  vulnerabilities  of  the  system  and  to  build 
security  into  the  system  throughout  the  development  life  cycle. 

Phase  III:  UAV  Smart  Device  GCS  Threat  Model  Pilot 
Program 

While  the  use  of  UAV  smart  device  GCS  is  intended  to  enhance 
the  mission  planning  tools,  environmental  awareness,  and  operational 
capabilities  of  a  multimillion-dollar  UAV  to  support  soldiers  in  the  field, 
the  security  of  the  system  must  be  evaluated  and  embedded  into  the 
system  design  for  safe  operation.  Development  and  implementation  of 
the  robust  threat  model  for  the  UAV  smart  device  GCS  is  a  key  tool  to 
ensure  a  secure  and  a  safe  operational  environment. 

The  robust  threat  model  for  the  UAV  smart  device  GCS  is  a  seven- 
step  process  that  will;  (1)  characterize  the  system,  (2)  understand  the 
adversary’s  objectives,  (3)  identify  system  assets  and  vulnerabilities,  (4) 
identify  threats  and  attacks,  (5)  conduct  threat  analysis  and  prioritiza¬ 
tion,  (6)  identify  countermeasures,  and  (7)  determine  the  mitigation 
plan.  The  following  discussion  will  elaborate  on  each  step  of  the  threat 
model  approach  using  a  DoD  UAV  smart  device  GCS  pilot  program  for 
illustration  in  an  unclassified,  generalized  manner  to  avoid  discussion 
of  sensitive  data. 

Step  1— Characterize  the  system.  Characterizing  the  entire  UAS  is  an 
important  step  in  the  threat  modeling  process,  because  it  allows  the 
security  designer  to  understand  the  system  and  how  it  operates.  While 
the  overall  goal  of  the  threat  model  is  to  secure  the  UAV  smart  device 
GCS,  the  security  countermeasures  cannot  hinder  the  functionality 
and  the  ability  to  meet  mission  capabilities  and  goals.  Therefore,  this 
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Step  establishes  the  intended  functional  operation  for  the  system  and 
identifies  the  relationship  of  components  in  the  UAV  smart  device  GCS 
system  that  meets  mission  goals  (Torr,  2005).  While  the  primary  focus 
is  to  secure  the  UAV  smart  device  GCS,  the  functional  operation  of  the 
device  is  dependent  upon  other  external  components  within  the  system 
such  as  the  UAV,  communication  network,  and  other  field  units. 

The  TigerShark  UAV  is  a  mid- endurance  tactical  UAV  with  weapon 
capability  used  to  support  military  intelligence,  surveillance,  recon¬ 
naissance,  target  identification,  and  weapons’  deployment  missions. 
The  UAV  smart  device  GCS  system  for  the  pilot  program  has  four  major 
components  (Figure):  the  TigerShark  UAV,  the  smart  device  Android 
tablet  GCS,  the  smart  device  field  unit,  and  the  LTE  4G  communication 
network.  Depending  on  the  type  of  mission,  the  UAV  may  be  fiown  using 
a  preprogrammed  flight  plan  uploaded  to  the  onboard  computer  or  fiown 
by  a  remote  pilot  who  relies  solely  on  the  GCS  to  command  and  control 
the  UAV  (Mirkarimi  &  Pericak,  2003).  The  GCS  software  is  installed  on 
a  19-inch  Android  tablet  and  is  used  to  command  and  control  the  UAV 
and  its  payloads,  providing  real-time  avionics  flight  display,  navigation, 
system  health  monitoring  and  prognostics  display,  graphical  images  and 
position  mapping,  and  inward  data  processing.  Conveniently,  the  smart 
device  field  units  can  receive  intelligence  data  from  the  smart  device 
GCS  or  directly  from  the  UAV.  Lastly,  the  pilot  program  will  utilize  4G 
LTE  communication  network  technology  to  provide  the  high  perfor¬ 
mance,  high  bandwidth  network  for  enhanced  capabilities,  and  the  data 
networking  requirements  needed  to  receive  and  share  near  real-time 
data  with  the  UAV  smart  device  GCS. 


While  the  use  of  UAV  smart  device  GCS  is 
intended  to  enhance  the  mission  planning  tools, 
environmental  awareness,  and  operational 
capabilities  of  a  multimillion-dollar  UAV  to 
support  soldiers  in  the  field,  the  security  of  the 
system  must  be  evaluated  and  embedded  into  the 
system  design  for  safe  operation. 
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FIGURE  1.  UAV-SMART  DEVICE  GCS  SYSTEM 
FUNCTIONAL  DIAGRAM 


Step  2— Understand  the  adversary’s  objectives.  The  previous  step 
(Characterize  the  System)  established  the  components  and  functional¬ 
ity  of  the  system  to  identify  ways  the  adversary  will  want  to  attack  the 
system.  It  is  important  to  note  that  the  previous  step  identifies  mission 
and  functionality  goals,  while  this  step  establishes  the  security  param¬ 
eters  of  the  system,  keeping  in  mind  that  the  mission,  functionality,  and 
security  goals  are  all  intertwined,  and  all  are  equally  important  in  the 
threat  assessment  of  the  system. 

To  properly  defend  the  system,  one  must  view  the  system  the  way  an 
adversary  would.  To  succeed  in  blocking  the  impacts  of  enemy  attacks, 
the  security  team  must  first  identify  the  adversary’s  objectives.  The 
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key  step  here  is  to  answer  the  question,  what  do  the  attackers  want? 
(Myagmar  et  al.,  2005).  The  output  of  this  step  will  help  to  determine  the 
vulnerabilities  of  the  UAV  smart  device  GCS  in  the  next  step. 

The  adversary’s  goal  of  attack  on  the  smart  device  GCS  is  primarily  to;  (1) 
disrupt  the  operation  of  the  device  to  prevent  control  of  the  TigerShark 
UAV,  (2)  gain  control  of  the  smart  device  GCS  to  control  the  TigerShark 
UAV,  and  (3)  gain  access  to  data  that  may  be  useful  to  the  attacker.  If 
the  attacker  is  successful  in  any  of  these  goals,  the  attacker  can  prevent 
completion  of  the  mission  (Yochim,  2010).  These  goals  are  often  achieved 
through  spoofing,  tampering,  repudiation,  information  disclosure,  denial 
of  service,  and  elevation- of-privilege  attacks  (Myagmar  et  al.,  2005). 

Step  3— Identify  systems  assets  and  their  vulnerabilities.  Using  the 
information  developed  from  the  use  case  and  adversary’s  objectives, 
this  step  identifies  the  assets  and  vulnerabilities  specifically  for  the  UAV 
smart  device  GCS  system,  which  comprises  the  UAV  smart  device  GCS 
and  communication  network  only.  An  asset  is  an  “abstract  or  concrete 
resource  that  a  system  must  protect  from  misuse  by  an  adversary”  and  is 
often  an  opportunity  for  attack  (Myagmar  et  al.,  2005,  p.  3).  Vulnerability 
is  a  security  weakness  or  fiaw  that  makes  a  system  susceptible  to  attack 
(Oladimeji  et  al.,  2006). 

The  UAV  smart  device  GCS  system  is  comprised  of  the  hardware,  soft¬ 
ware,  and  communication  network  components;  therefore,  we  must 
assess  these  areas  of  vulnerability.  Yet,  we  cannot  properly  assess  the 
system  without  identifying  vulnerabilities  that  are  also  introduced  by 
the  users  and  maintainers  (Chirillo  &  Danielyan,  2005). 

Hardware  assets  and  vulnerabilities.  The  TigerShark  UAV  pilot  pro¬ 
gram  is  utilizing  an  Android  smart  device  tablet  for  the  GCS.  Hardware 
assets  within  the  Android  smart  device  tablet,  such  as  the  microphone, 
camera,  and  GPS,  can  be  exploited  to  monitor  the  user  and  the  users’ 
surrounding  environment  (Delac,  Silic,  &  Krolo,  2011).  Memory  storage 
can  also  contain  classified  information  about  the  mission  that  can  be  use¬ 
ful  to  the  attacker  (Hasan,  Myagmar,  Lee,  &  Yurcik,  2005,  pp.  94-102). 
Although  the  battery  does  not  contain  sensitive  information,  attackers 
can  drain  it  to  disrupt  or  terminate  operation  of  the  system  (Delac  et 
al.,  2011).  These  threats  can  be  introduced  through  malware  software 
that  enters  through  software  and  counterfeit  hardware  vulnerabilities. 
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Supply  chain  cybersecurity  attacks  have  been  a  growing  concern  of  the 
United  States  government  since  2005,  resulting  in  the  seizure  of  large 
quantities  of  counterfeit  network  hardware  and  other  information 
technology  from  Chinese  telecommunication  companies.  Supply  chain 
cybersecurity  threats  are  introduced  by  hostile  agents  that  purposefully 
install  spyware  into  hardware  components  and/or  alter  circuitry  with 
malicious  firmware  that  is  later  sold  to  government  and  big  businesses  as 
counterfeit  hardware  (Goodwin,  2013).  Once  the  electronic  components 
are  connected  to  the  network,  the  enemy  can  easily  gain  access  to  it  or, 
even  worse,  gain  control  of  the  electronic  device  to  spy  or  cause  harm. 
Unfortunately,  many  supply  companies  are  transnational  or  the  result  of 
mergers,  which  makes  it  virtually  impossible  to  adopt  corporate  owner¬ 
ship  or  control  supply  chain  security  of  hardware  components. 

Another  vulnerability  is  that  enemies  can  gain  physical  access  to  the 
smart  device  GCS  in  a  battlefield  environment.  A  soldier  under  heavy  fire 
can  lose,  drop,  damage  the  device,  or  leave  it  behind  in  a  life-and-death 
situation.  The  device  can  then  be  tampered  with  and  analyzed  to  gain 
access  to  sensitive  information  stored  in  its  memory. 

Software  assets  and  vulnerabilities.  The  heart  of  the  smart  device 
GGS  is  its  mobile  operating  system,  which  controls  its  hardware 
resources  and  software  applications.  Infiltration  of  the  operating  sys¬ 
tem  can  be  achieved  through  “jailbreaking,”  whereby  restrictions  and 
security  measures  can  be  removed  to  allow  users  to  modify  the  device 
and  install  software  applications.  Once  the  attacker  has  found  a  way 
inside  the  system,  it  is  easy  to  manipulate  the  hardware  resources  and 
transform  the  smart  device  into  a  device  for  spying  that  will  allow  the 
attacker  to  capture  images  and  video,  tap  and  record  conversations, 
view  sensitive  information,  and  gain  the  location  of  targeted  individuals 
(Felt,  Finifter,  Ghin,  Hanna,  &  Wagner,  2011,  pp.  3-14).  The  pilot  pro¬ 
gram  is  utilizing  a  smart  tablet  with  an  Android  operating  system.  The 
software  code  has  been  made  publicly  available  to  allow  customization 
and  modifications  to  meet  the  needs  of  the  various  smart  device  types 
and  communication  carriers.  The  open  operating  system  has  resulted 
in  many  variations  of  Android  smartphones  and  tablets  whereby  differ¬ 
ent  carriers  with  identical  devices  may  have  different  variations  of  the 
operating  system  software.  Google  security  updates  are  pushed  to  the 
system’s  end  users  at  the  discretion  of  carrier  and  third-party  applica¬ 
tion  developers;  depending  on  the  complexity  and  time  to  make  and  test 
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Software  apps  downloaded  to  the  smart  device  are 
an  easy  target  of  cyber  security  attacks  and  must 
be  protected  by  security  mechanisms  such  as  app 
certification  or  signature  and  pre-testing. 


modifications  to  tailor  their  devices,  the  carrier  or  third  party  software 
app  developers  may  refuse  to  push  the  update  to  the  end  user,  thereby 
increasing  vulnerability  to  the  smart  devices  (Rose,  2011). 

Software  apps  provide  the  functionality  of  the  GCS  on  smart  devices.  A 
successful  attack  on  the  software  app  could  allow  the  attacker  to  gain 
control  of  the  UAV  functionality  and  access  data  gathered  from  the  UAV, 
targeting  individuals  or  locations  for  physical  harm  (Do,  Kwon,  &  Moon, 
2013). 

Communication  network  vulnerabilities.  In  a  tactical  environment, 
ground  soldiers  are  moving  in  a  remote  terrain  where  the  coverage  and 
performance  of  mobile  networks  are  degraded  and  unsecure.  Therefore, 
ground  soldiers  must  provide  their  own  secure,  mobile  networks  to 
ensure  continuous  service  (O’Rourke  &  Johnson,  2011).  Stationary  base 
stations  establish  a  mobile  network  through  a  high-bandwidth,  wired 
network  backbone.  However,  if  the  ground  soldiers  move  to  another 
location,  the  mobile  network  is  disrupted  and  inoperable  until  it  is 
re-established. 

Base  stations  are  often  attractive  targets  by  hostiles  desiring  to  dis¬ 
able  the  communication  network.  If  the  base  station  is  destroyed,  the 
secure  communication  network  is  inoperable,  and  ground  soldiers  will 
create  their  own  insecure  mobile  networks  or  use  insecure  commercial 
networks.  These  actions  introduce  threats  into  the  communication 
network,  the  devices  operating  on  the  network,  and  the  missions  they 
support  (Bhargava,  2013).  Direct  attacks  on  the  communication  network 
can  disrupt  the  connection  between  the  UAV  and  the  smart  device  GCS, 
thereby  preventing  operation  and  control  of  the  UAV.  They  prevent  the 
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sharing  of  information  within  the  UAV  smart  device  GCS  system;  and 
potentially  share  information  with  other  unauthorized  users  (Clark  et 
al.,  2007). 

Human  vulnerabilities.  Threat  models  often  focus  on  external  attack¬ 
ers  and  threats  that  can  affect  the  system.  What  tends  to  be  overlooked, 
however,  is  how  users  and  maintainers  of  the  system  also  pose  a  danger 
to  the  system.  Users  can  accidentally  or  intentionally  share  sensitive 
information  or  physically  compromise  the  system  by  disregarding  poli¬ 
cies  and  operating  procedures,  or  fail  to  update  policies  and  procedures 
aimed  at  current  threats  (Clark  et  al.,  2007).  Although  smart  devices 
have  been  deployed  in  the  battlefield  to  function  as  UAV  GCSs,  they  can 
also  be  used  for  many  other  capabilities  that  may  be  of  interest  to  the 
unwitting  user  and  introduce  threats  to  the  GCS.  For  instance,  users  and 
operators  could  access  social  networks  and  e-mail  outside  of  battlefield 
operations,  thereby  increasing  the  chances  that  phishing,  spam,  mal¬ 
ware,  and  spyware  will  infiltrate  the  system  (Leavitt,  2011). 

Maintainers  of  the  smart  device  GCS  play  a  crucial  role  in  its  security 
and  also  determine  the  effectiveness  of  countermeasures  implemented 
within  the  device.  Poorly  maintained  systems  expose  entry  points  of 
attack  to  gain  control  of  the  UAV  GCS  (Whitman  &  Mattord,  2010). 

Step  4— Identify  threats  and  attacks.  Using  the  information  gathered  in 
the  previous  step,  the  next  step  is  to  identify  threats  and  attacks  to  the 
system.  As  previously  mentioned,  a  threat  is  defined  as  a  “potential  vio¬ 
lation  of  the  security  of  a  system,  an  event  that  may  have  some  negative 
impact,”  and  an  attack  is  an  “exploitation  of  a  vulnerability  to  realize  a 
threat”  (Oladimeji  et  al.,  2006,  p.  1).  The  threat  identification  process 
described  in  the  following  discussion  examines  threats  in  detail  for  four 
areas  of  vulnerabilities. 

Hardware  threats.  Threats  to  the  Android  smart  device  GCS  hardware 
include  attacks  that  cause  battery  exhaustion,  fiooding,  surveillance,  and 
USB  and  storage  attacks.  Battery  exhaustion  attacks  cause  the  battery 
to  discharge  faster  than  normal,  killing  the  smart  device  and  ultimately 
disabling  the  GCS.  This  prevents  the  operation  and  control  of  the  UAV. 
Flooding  attacks  disable  the  smart  device  by  overloading  it  with  numer¬ 
ous  signals  or  messages,  preventing  GCS  operation  or  preventing  it  from 
providing  or  receiving  information  within  the  network  (Bhusari  &  Sahu, 
2013).  Surveillance  attacks  employ  smart  device  sensors  to  monitor 
the  surrounding  environment  and  soldier  movement,  which  allows  the 
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attacker  to  gain  unauthorized  access  to  mission  information  and  iden¬ 
tify  the  location  of  the  soldier  maneuvering  the  UAV  and  other  soldiers 
nearby.  Storage  snooping  attacks,  a  result  of  malware,  allow  the  attacker 
to  gain  access  to  sensitive  information  via  storage  snooping  attacks. 
Storage  jamming  and  alteration  attacks  modify  data  for  the  purpose 
of  subverting,  degrading,  or  disrupting  operations  (Hasan  et  al.,  2005). 

Software  threats.  Mobile  platforms  resemble  traditional  desktop 
operating  systems;  therefore,  the  security  threat  profile  of  a  personal 
computer  has  migrated  to  smart  devices  (Delac  et  al.,  2011).  Malware 
attacks  gain  access  to  a  device  to  steal  data,  damage  the  device,  or  annoy 
the  user.  This  threat  includes  Trojan  horses,  botnets,  worms,  key  loggers, 
and  rootkits  (Felt  et  al.,  2011).  In  addition,  malware  can  be  used  to  disrupt 
and  gather  sensitive  information  or  obtain  control  of  the  GCS  and  UAV. 
Spyware  collects  personal  information  such  as  location  and  stored  infor¬ 
mation  (Felt  et  al.,  2011).  It  can  also  be  used  to  gather  intelligence  from 
UAV  real-time  data  feeds  or  directly  from  the  smart  device  GCS  using 
the  microphone,  camera,  GPS,  or  stored  data  to  obtain  mission-sensi¬ 
tive  information.  Data  accessed  by  malware  and  spyware  attacks  can 
introduce  data  leakage  and  unauthorized  data  transmission.  Malicious 
software  also  can  be  used  to  tamper  with  data  by  either  destruction  or 
modification  (Bhusari  &  Sahu,  2013).  Sensitive  information  or  danger¬ 
ous  capabilities  are  often  protected  by  requiring  user  consent  before  an 
application  can  gain  access.  However,  elevation  of  privilege  is  a  com¬ 
mon  attack  achieved  through  software  manipulation  to  gain  access  to 
resources  that  would  otherwise  be  protected  (Olzak,  2006). 

Communication  network  threats.  Threats  to  the  communication 
network  include  network  eavesdropping,  spoofing,  denial  of  service, 
impaired  quality  of  service,  jamming,  weak/compromised  cryptography, 
and  unencrypted  communication.  Network  eavesdropping  or  sniffing 
captures  and  decodes  packets  as  transmitted  over  the  network.  Spoofing 
attacks  masquerade  the  hacker  as  a  trusted  party  in  the  network  to  gain 
access  to  sensitive  information,  which  can  lead  to  data  leakage— the 
unauthorized  transmission  of  sensitive  data.  Denial  of  service  or  net¬ 
work  congestion  overloads  a  link  or  node  in  the  UAV  smart  device  GGS 
system  with  an  extensive  amount  of  data  to  reduce  the  quality  of  network 
performance  or  cause  denial  of  service  (Spiewak,  Engel,  &  Fusenig,  2006, 
pp.  35-40).  Impaired  quality  of  services,  another  form  of  denial  of  service, 
is  an  attack  that  degrades  the  level  of  performance  or  causes  disruption 
of  the  network  to  prevent  services  required  for  applications,  users,  or 
data  flow  (Glark  et  al.,  2007).  Denial  of  service  attacks  not  only  threaten 
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the  communication  network,  but  also  the  UAV.  False  commands  or 
control  signals  transmitted  over  the  network  to  the  UAV  can  make  the 
UAV  land  or  attack  somewhere  else  (Javaid  et  al.,  2012).  A  jamming 
device  can  disrupt  and  disable  communication  between  the  smart 
device  GCS  and  UAV,  and  other  components  in  the  network,  thereby 
preventing  control  of  the  UAV  and  dissemination  of  information  within 
the  network  hub.  Weak  cryptographic  algorithms  are  easily  broken  by 
attackers  exposing  sensitive  data  to  adversaries.  If  the  attacker  inter¬ 
cepts  the  encryption  key,  the  cryptography  becomes  compromised,  and 
the  network  is  exposed  to  data  leakage.  Sharing  sensitive  information 
using  unencrypted  communications  allows  for  harmful  data  leakage 
to  unauthorized  parties  (Clark  et  al.,  2007). 

Human  threats.  Threats  to  the  UAV  smart  device  GCS  can  also  be 
introduced  by  system  users  and  maintainers.  In  some  instances,  threats 
will  enter  the  system  due  to  careless  mistakes  or  inadequate  practices, 
such  as  the  failure  to  follow  policies  or  inadequate  policies,  use  of  unen¬ 
crypted  communication,  carelessness  with  cryptographic  keys,  poor 
risk  decisions,  and  poor  management  or  maintenance.  These  threats 
can  lead  to  data  leakage,  entry  of  erroneous  data,  accidental  deletion  or 
modification  of  data,  storage  of  data  in  unprotected  areas,  and  failure 
to  protect  information  (Whitman  &  Mattord,  2010).  Poor  risk  decisions 
can  be  the  result  of  carelessness  or  a  combination  of  poor  training 
and  the  stress  and  limitations  of  completing  missions  in  a  battlefield 
environment.  Insufficient  management  and  maintenance  of  the  GGS 
can  compromise  system  integrity,  hinder  GGS  performance,  and  even 
render  it  inoperable  (Glark  et  al.,  2007). 

Gompromised  personnel  acting  as  inside  agents  are  another  vulner¬ 
ability.  They  can  introduce  threats  such  as  harmful  data  leakage  and 
could  modify  stored  accountability  information.  Obvious  threats  from 
an  inside  agent  include  directing  the  GGS  and  UAV  to  conduct  sur¬ 
veillance  on  and  attack  military  personnel.  Access  to  the  GGS  could 
also  provide  sensitive  data  to  adversaries  and  lead  to  the  destruction 
of  sensitive  data.  Accountability  information  is  extremely  important 
in  military  applications,  as  users  and  maintainers  are  responsible  for 
operating  and  maintaining  a  device  that  controls  multimillion-dollar 
unmanned  aircraft  with  weapon  capabilities.  In  the  event  that  an 
error  occurs,  poor  decisions  are  made,  or  the  device  is  compromised, 
accountability  logs  can  be  reviewed  post-operation  to  connect  actions 
to  people.  Accountability  logs  can  be  attacked  by  preventing  the  col¬ 
lection  or  storage  of  accountability  information.  By  the  same  token. 
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deletion  and  modification  of  accountability  information  to  shift  blame 
or  render  it  impossible  to  determine  blame  also  has  a  negative  effect  on 
security  (Clark  et  al.,  2007). 

Step  5— Conduct  threat  analysis  and  prioritization.  The  previous  steps 
help  to  identify  threats  to  UAV  smart  device  GCSs.  The  next  step  ana¬ 
lyzes  threats  by  completing  a  thorough  risk  assessment  of  each  threat  to 
prioritize  the  threats  and  address  countermeasures  for  high-risk  attacks 
(Myagmar  et  al.,  2005). 

While  it  is  impossible  to  guarantee  100  percent  security  of  a  system, 
it  is  important  to  identify  the  threats,  prioritize  their  associated  risks, 
and  identify  those  that  are  most  crucial  for  the  UAV  smart  device  CCS 
operational  environment  (Oladimeji  et  al.,  2006).  To  assess  the  risk  of 
identified  threat  attacks,  the  likelihood  and  impact  are  calculated  using 
the  National  Institute  of  Standards  and  Technology  (NIST)  Management 
Guide  for  Information  Technology  Systems  methodology  (Stoneburner, 
G.,  Goguen,  A.,  &  Feringa,  A.,  2002).  NIST  is  the  designated  authority  for 
the  development  of  information  security  standards  and  guidelines  for 
federal  government  agencies  and  private  industry.  Since  the  UAV  smart 
device  GGS  operational  environment  is  being  evaluated  for  military 
purposes,  the  NIST  methodology  is  appropriate  for  assessing  the  risk 
and  applied  as  follows. 

Likelihood  determination.  The  likelihood  is  the  probability  that  a 
potential  vulnerability  will  occur  in  the  associated  threat  environment 
and  considers  threat-source  motivation  and  capability,  nature  of  the 
vulnerability,  and  the  existence  and  effectiveness  of  current  counter¬ 
measures  (Stoneburner,  Goguen,  &  Feringa,  2002).  The  following  NIST 


criteria  are  used  to  rate  the  likelihood  of  the  threats  identified  (Table  2). 

TABLE  2.  LIKELIHOOD  DEFINITIONS  1 

Likelihood  Level 

Likelihood  Definition 

High  (1.0) 

The  threat  source  is  highly  motivated  and 
sufficiently  capable;  controls  meant  to  prevent  the 
vulnerability  from  being  exercised  are  ineffective. 

Medium  (0.5) 

The  threat  source  is  motivated  and  capable,  but 
controls  are  in  place  that  may  impede  successful 
exercise  of  the  vulnerability. 

Low  (0.1) 

The  threat  source  lacks  motivation  or  capability, 
or  controls  are  in  place  to  prevent,  or  at  least 
significantly  impede,  the  vulnerability  from  being 
exercised. 
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Impact  assessment.  The  impact  assessment  determines  the  level 
of  impact  to  system  assets  and  sensitive  data  based  on  protections 
required  to  maintain  security  goals  (Stoneburner,  Goguen,  &  Feringa, 
2002).  The  following  criteria  are  used  to  rate  the  impact  of  the  threats 
to  the  handheld,  portable  GCS  (Table  3). 


TABLE  3.  IMPACT  DEFINITION 

Magnitude  of 
Impact 

Impact  Definition 

High  (100) 

Exercise  of  the  vulnerability  (1)  may  result  in  the 
highly  costly  loss  of  major  tangible  assets  or 
resources;  (2)  may  significantly  violate,  harm,  or 
impede  an  organization's  mission,  reputation, 
or  interest;  or  (3)  may  result  in  human  death  or 
serious  injury. 

Medium  (50) 

Exercise  of  the  vulnerability  (1)  may  result  in  the 
costly  loss  of  tangible  assets  or  resources;  (2)  may 
violate,  harm,  or  impede  an  organization's  mission, 
reputation,  or  interest;  or  (3)  may  result  in  human 
injury. 

Low  (10) 

Exercise  of  the  vulnerability  (1)  may  result  in  the 
loss  of  some  tangible  assets  or  resources  or  (2) 
may  noticeably  affect  an  organization's  mission, 
reputation,  or  interest. 

Threat  risk  assessment  results.  Using  the  likelihood  and  impact  cri¬ 
teria,  analyzed  threats  to  the  UAV  smart  device  GGS  system  (Table 
4)  with  a  team  of  cybersecurity  and  system  subject  matter  experts. 
Likelihood  was  assessed  using  existing  threat  data.  Gurrent  research, 
experience,  vulnerabilities,  and  the  ability  of  existing  controls  to  mini¬ 
mize  vulnerabilities  to  the  TigerShark  UAV  smart  device  GGS  were 
included  in  the  evaluation.  Impact  was  assessed  based  on  effect  on 
mission  goals  and  objectives,  physical  damage  to  assets  and  resources 
(UAV,  GGS,  etc.),  and  potential  death  or  injury  to  humans.  The  risk  for 
each  threat  was  calculated  as  the  product  of  the  impact  and  likelihood, 
and  risks  were  assessed  at  the  following  NIST  defined  levels:  High  Risk 
(product  value  >50  to  100),  Medium  Risk  (product  valuolO  to  50),  and 
Low  Risk  (1  to  10)  (Stoneburner,  Goguen,  &  Feringa,  2002). 
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TABLE  4.  RISK  ANALYSIS  SUMMARY 


Threat 

Likelihood 

Impact 

Risk 

HARDWARE 

Battery  Exhaustion 

0.5 

100 

50 

Flooding 

1.0 

50 

50 

Surveillance 

1.0 

100 

100 

USB 

0.1 

10 

1 

Storage  Snooping 

0.5 

50 

25 

Storage  Jamming 

0.5 

10 

5 

Storage  Erasure/Alteration 

0.1 

50 

5 

SOFTWARE 


Malware 

1.0 

100 

100 

Phishing 

0.5 

50 

25 

Data  Leakage 

1.0 

50 

50 

Spyware 

1.0 

100 

100 

Data  Tampering 

1.0 

50 

50 

Elevation  of  Privilege 

1.0 

100 

100 

COMMUNICATION  NETWORK 

Eavesdropping 

1.0 

100 

100 

Spoofing 

0.5 

100 

50 

Denial  of  Service 

1.0 

100 

100 

Jamming 

1.0 

10 

10 

Weak/Compromised  Cryptography 

0.5 

50 

25 

Unencrypted  Communication 

0.1 

50 

5 

Impaired  Quality  of  Service 

0.5 

100 

100 

HUMAN 

Breaking  Policy 

1.0 

100 

100 

Inadequate  Policy 

1.0 

100 

100 

Unencrypted  Communication 

0.5 

50 

25 

Carelessness  with  Cryptographic  Keys 

1.0 

50 

50 

Harmful  Data  Leakage 

0.5 

50 

25 

Compromise  of  Personnel 

0.5 

100 

50 

Poor  Risk  Decisions 

0.5 

100 

50 

Poor  Management/Maintenance 

1.0 

100 

100 

Overloading  the  Operator 

0.5 

10 

5 

Prevention  of  Accountability  from  Being  Stored 

0.1 

10 

1 

Destruction  of  Accountability  Data 

0.1 

10 

1 

Modification  of  Accountability  Data 

0.1 

10 

1 
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Based  on  the  above  criteria,  the  risk  assessment  in  Table  4  shows  that 
surveillance  attacks  to  the  hardware,  malware,  and  spyware  attacks 
to  the  software;  eavesdropping,  denial  of  service,  and  impaired  qual¬ 
ity  of  service  attacks  to  the  communication  network;  and  neglected 
or  inadequate  policy  and  poor  management  and  maintenance  prac¬ 
tices  pose  the  greatest  risk  to  the  UAV  smart  device  GCS  system.  Of 
all  these,  malware  is  the  most  significant  threat,  because  its  likeli¬ 
hood  is  extremely  high.  The  communication  network  is  an  important 
component  to  the  UAS  operation.  As  previously  mentioned,  the  UAV 
smart  device  GCS  pilot  is  utilizing  4G  LTE  network  technology,  a  com¬ 
mercial  communication  network.  While  use  of  the  4G  LTE  network 
provides  the  communication  network  requirements  for  UAS  opera¬ 
tion  in  the  battlefield,  it  doesn’t  provide  the  security  of  legacy  military 
systems,  thus  increasing  the  risk  of  eavesdropping,  denial  of  service, 
and  impaired  quality  of  service  attacks.  While  there  are  solutions  to 
secure  the  network  during  operation,  performance  degradation  of  the 
smart  device  GCS  is  an  issue.  Neglected  or  inadequate  policies  are  a 
major  vulnerability  for  UAV  smart  device  GCSs.  Neglected  or  inad¬ 
equate  policy  can  place  the  operator  and  other  friendly  forces  on  the 
battlefield  in  danger  and  compromise  the  security  of  the  GCS  and  UAV. 
Poor  management  or  maintenance  of  the  UAV  smart  device  GCS  can 
weaken  countermeasures  embedded  in  the  system  and  increase  the  risk 
of  new  threats  to  the  UAS.  These  significant  risks  to  the  system  should 
be  given  high  priority  and  addressed  with  countermeasures. 

Medium-high  risk  threats  that  require  countermeasures  include  bat¬ 
tery  exhaustion  and  fiooding  attacks  to  hardware;  data  leakage  and 
surveillance  attacks  to  software;  data  tampering,  and  spoofing  attacks 
to  the  communications  network;  and  compromised  personnel,  poor 
management,  and  poor  risk  decisions.  The  military  must  evaluate  the 
remaining  threats,  which  include  those  of  medium  and  low  risk,  and 
determine  whether  to  implement  countermeasures,  based  on  perfor¬ 
mance  and  cost  factors,  or  accept  the  risk. 

Step  6  -  Identify  Countermeasures.  Countermeasures  are  “techniques 
to  protect  the  system”  (Alghamdi  et  al.,  2010,  p.  3).  This  step  identifies 
countermeasures  to  counteract  the  medium-  and  high-risk  attacks  to 
the  UAV  smart  device  GCS  identified  in  the  last  step.  While  a  number 
of  countermeasures  will  be  identified  to  reduce  risk  to  the  system,  all 
countermeasures  cannot  be  implemented  due  to  costs  and  performance 
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degradation.  Outputs  from  the  threat  analysis  in  the  previous  step  will 
help  to  determine  the  combination  of  countermeasures  for  optimal  pro¬ 
tection  with  performance  and  costs. 

Hardware  countermeasures.  U.S.  companies  and  agencies  can  reduce 
risk  to  counterfeit  networking  hardware  by  limiting  purchases  to  trusted 
vendors.  Companies  can  also  conduct  random  tests  on  devices  during  the 
distribution  and  installation  phases  to  determine  whether  they  contain 
extra  components  or  serious  vulnerabilities  (Lee  &  Rotoloni,  2012). 

A  Smart  device  GCS  obtained  by  the  adversary  can  be  counteracted  with 
security  mechanisms  such  as  authentication,  encryption,  and  remote 
wipe.  These  techniques  can  protect  against  unauthorized  access  to 
classified  or  sensitive  information.  Authentication  limits  access  and 
privileges  to  only  authorized  parties,  detecting  and  preventing  access 
by  others.  This  can  also  be  achieved  with  passwords  and  screen  lock 
codes;  however,  they  can  hinder  the  quick  response  and  performance  of 
soldiers  using  the  devices  on  the  battlefield.  Encryption  encodes  data  to 
prevent  disclosure  of  sensitive  or  classified  data  to  unauthorized  parties. 
It  can  also  protect  data  at  rest  (i.e.,  files,  memory,  USB  fiash  drives,  etc.) 
when  physical  security  fails  (Wang  et  al.,  2012).  Meanwhile,  remote  wipe 
allows  the  smart  device  GCS  to  be  commanded  remotely.  Therefore,  it 
can  be  reset  or,  if  the  device  falls  into  an  unauthorized  user’s  posses¬ 
sion,  stored  data  can  be  erased.  This  security  mechanism  can  be  evaded, 
however,  by  removing  the  battery  or  memory  card  prior  to  receiving  the 
remote  wipe  command  (Hasan  et  al.,  2005). 

Software  countermeasures.  Malware  and  spyware  are  the  most  common 
attacks  to  operating  system  software  and  software  applications,  and  can 
have  major  consequences  if  not  detected  immediately.  Frequent  testing 
for  malware  can  be  done  using  fuzz  testing  and  static-analysis  code 
scanning  test  tools.  Fuzz  testing  sends  structured,  invalid  inputs  to  soft¬ 
ware  application  programs  and  network  interfaces  to  detect  errors  that 
can  lead  to  software  vulnerabilities.  Static-analysis  code  scanning  test 
tools  can  detect  specific  kinds  of  coding  fiaws  and  software  vulnerabili¬ 
ties  (Lipner,  2004).  The  smart  device  GGS  can  also  be  protected  using 
antivirus  and  firewall  software.  Antivirus  software  can  prevent,  detect, 
and  remove  malware  from  software  applications  and  operating  system 
software,  whereas  a  firewall  can  prevent  unauthorized  access  to  and 
from  the  smart  device  GGS  and  access  to  unauthorized,  untrusted  wire¬ 
less  networks.  Software  applications  often  access  hardware  resources 
within  the  smart  device  beyond  what  is  required  for  operation  of  the 
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app,  increasing  vulnerability  of  the  smart  device  GCS.  Access  control 
limits  accessibility  to  resources  and/or  services,  only  allowing  the  app 
to  tap  into  the  minimum  resources  needed  (Jeon,  Kim,  Lee,  &  Won, 
2011).  Resource  management  monitors  the  availability  and  condition  of 
resources  (Shabtai  et  al.,  2010). 


Although  smart  devices  will  be  used  primarily  as  UAV  GCSs,  soldiers 
may  be  tempted  to  access  personal  e-mail  and  social  networks,  thereby 

introducing  threats  such  as  spam  and 
phishing.  Gommunication  from  outside 
the  secure  network  should  be  blocked. 
Spam  filters  can  also  be  used  to  prevent 
receipt  of  spam  from  unwanted  parties 
via  multimedia  message  service,  text  mes¬ 
sages,  e-mail,  and  telephone  (Jeon  et  al., 
2011). 


Software  apps  downloaded  to  the  smart 
device  are  an  easy  target  of  cybersecurity 
attacks  and  must  be  protected  by  security 
mechanisms  such  as  app  certification  or 
signature  and  pre-testing.  Application  sig¬ 
natures  should  be  used  to  ensure  that  the 
software  is  from  a  trusted  source  and  has 
not  been  tampered  with.  Pretesting  soft¬ 
ware  apps  by  detecting  malicious  malware 
prior  to  use  in  the  battlefield  ensures  that 
only  secure  apps  will  be  uploaded  to  the 
software  app  database  (Jeon  et  al.,  2011). 

Vulnerabilities  to  the  software  can  be 
mitigated  by  regularly  updating  the  oper¬ 
ating  system  and  software  applications 
immediately  after  updates  are  released 
(Jeon  et  al.,  2011). 


Gommunication  network  countermeasures.  Many  threats  to  UAV  smart 
device  GGSs  arise  from  deficiencies  in  network  security.  Flooding, 
jamming,  denial  of  service,  and  impaired  quality  of  service  attacks 
can  be  mitigated  by  bandwidth  allocation,  which  limits  bandwidth 
for  the  smart  device  to  prevent  excessive  connection  request  attacks 
that  may  impair  network  and  affect  the  operation  of  the  smart  device 
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GCS.  Eavesdropping  and  data  leakage  can  be  prevented  by  network 
encryption,  which  encodes  data  to  prevent  disclosure  of  sensitive  data 
to  unauthorized  parties  and  can  protect  data  in  transit  over  shared  net¬ 
works.  However,  encryption  policies  and  procedures  must  be  updated 
periodically  to  ensure  an  adequate  level  of  cryptography.  Data  transferred 
over  the  network  can  be  protected  by  safe  http  data-transfer  protocols, 
authentication  certificates,  data  encryption  and  decryption,  and  virtual 
private  networks  (Markelj  &  Bernik,  2012).  UAV  GCS  software  requires 
consistent  network  access,  but  other  software  apps  that  support  military 
operations  may  not  (Clark  et  al.,  2007). 

In  the  past,  network  security  concerns  have  hindered  widespread  smart 
phone  deployment  on  the  battlefield,  but  since  2010,  the  DoD  has  moved 
to  enhance  communication  networks  to  accommodate  the  requirements 
for  smart  devices  and  UAV  capabilities  on  the  battlefield  (Edwards, 
2012).  Stationary  base  stations,  as  previously  discussed,  didn’t  provide 
the  infrastructure  required  for  smart  devices  and  UAVs,  and  therefore 
were  inadequate  for  the  current  technology  and  enhanced  capabilities 
(O’Rourke  &  Johnson,  2011).  New  technology  advancements,  such  as 
mesh  networks,  mobile  ad  hoc  networks,  cognitive  radios,  and  satellite 
communications  have  offered  better  options  for  mobile  network  avail¬ 
ability  on  the  battlefield.  Mesh  networks  or  mobile  ad  hoc  networks 
provide  high  bandwidth  networking  capabilities  to  connect  multiple 
smart  devices  within  a  specified  range,  control  UAVs,  and  disseminate 
data  feeds  within  the  communication  network.  Gognitive  radios  can 
adapt  to  user  needs  and  bandwidth  conditions,  providing  quality  system 
performance  in  all  types  of  terrain.  They  are  also  resistant  to  eavesdrop¬ 
pers  and  jammers  (Edwards,  2012).  Advances  in  technologies  such  as 
antenna  design  and  signal  reception  have  made  satellite  communication 
networks  a  viable  solution  for  smart  devices  on  the  battlefield.  Satellite 
communication  is  ideal  for  coverage  of  terrestrial  areas  (Varshney  & 
Vetter,  2000). 

The  effectiveness  of  countermeasures  previously  identified  depends  on 
the  actions  taken  by  users  and  maintainers  to  secure  the  system.  Security 
countermeasures  for  the  GGS  can  be  significantly  enhanced  through 
security  policies,  education,  training,  and  awareness  (Ghen,  Shaw,  & 
Yang,  2006).  To  reduce  the  risk  of  data  leakage,  policies  and  operating 
procedures  should  be  updated  periodically  to  refiect  current  mission 
requirements  and  threats.  Security  policy  is  important,  as  it  defines 
the  rules,  guidelines,  and  procedures  for  proper  use  and  protection  of 
the  system  (D’Arcy,  Hovav,  &  Galletta,  2009).  In  addition  to  updating 
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policy,  users  and  maintainers  must  be  made  aware  of  all  changes  in  poli¬ 
cies  and  procedures,  and  be  educated  and  trained  periodically  to  stay 
abreast  of  the  most  up-to-date  information.  This  will  also  make  users 
and  maintainers  accountable  for  their  actions  on  the  battlefield.  Security 
education,  training,  and  awareness  provide  users  and  maintainers  with 
information  regarding  the  security  environment  and  the  skills  required 
to  perform  security  procedures  and  reinforce  security  policy  awareness 
and  comprehension  (D’Arcy  et  al.,  2009).  These  should  address  infor¬ 
mation  security  policy,  system  access  control,  system  development  and 
maintenance,  personnel  security,  physical  and  environmental  security, 
security  organization,  asset  classification  and  control,  communications 
and  operations  management,  business  continuity  management,  and 
compliance  (McAdams,  2004). 

Maintenance  of  the  smart  device  GCS  is  essential  for  their  security. 
Updates,  upgrades,  and  patches  are  especially  important,  as  they 
increase  protection  from  known  cybersecurity  threats  and  reduce  risks 
to  vulnerabilities  in  software  code  in  the  operating  system  and  soft¬ 
ware  applications.  Smart  device  hardware  must  also  be  evaluated  and 
maintained  to  ensure  system  effectiveness  and  ability  to  meet  mission 
requirements.  If  the  system  is  deemed  ineffective  or  no  longer  meets 
the  mission  requirements,  the  devices  should  be  disabled  and  properly 
disposed  of  (Whitman  &  Mattord,  2010). 

To  prevent  human  error  or  to  block  compromised  personnel  from 
gaining  control  of  the  device,  controls  or  safeguards  should  be  imple¬ 
mented.  Strong  authentication  safeguards  can  be  as  simple  as  entering 
a  command  twice;  having  another  party  verify  a  command  before 


If  designers  are  not  careful,  they  can  go  too  far  in 
designing  countermeasures  and  render  them  more 
expensive  than  they  are  worth. 
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implementation;  using  passwords,  smart  card,  personal  identification 
numbers,  and/or  a  form  of  biometrics  verification  (Whitman  &  Mattord, 
2010). 

Step  7  -  Determine  the  mitigation  plan.  In  the  previous  steps,  risk  was 
assessed  to  identify  high-priority  threats  that  should  be  mitigated  and 
countermeasures  were  identified  to  block  the  attacks  to  the  UAV  smart 
device  GCS.  Once  the  threat-attacks  have  been  assessed  and  prioritized, 
they  must  be  managed  by  assuming,  controlling,  transferring,  or  avoid¬ 
ing  the  risk.  A  risk  should  be  assumed  if  the  risk  is  low  and  the  cost  to 
mitigate  is  sufficiently  high;  it  can  also  be  transferred  to  another  user  via 
warnings,  etc.  If  a  system  component  or  feature  associated  with  a  risk 
is  too  costly  to  mitigate  or  the  risk  is  too  high  to  accept,  the  risk  can  be 
avoided  by  removing  the  relevant  component  or  feature.  Lastly,  a  risk  can 
be  controlled  with  countermeasures  (Myagmar  et  al.,  2005).  If  designers 
are  not  careful,  they  can  go  too  far  in  designing  countermeasures  and 
render  them  more  expensive  than  they  are  worth.  The  cost  to  implement 
a  countermeasure  must  be  factored  into  the  design  decision  and  should 
not  exceed  the  expected  risk  (Oladimej  et  al.,  2006). 

While  cost  is  an  important  factor,  countermeasures  must  also  be  evalu¬ 
ated  based  on  the  ability  to  meet  mission  goals  and  offer  operational 
benefits.  The  UAV  smart  device  GCS  is  being  evaluated  for  military 
operations;  therefore,  countermeasures  must  enable  mission  accom¬ 
plishment  with  tolerable  risk  and  refiect  the  environment  in  which  the 
system  is  deployed  (Clark  et  al.,  2007). 


Conclusions 

As  technology  continues  to  progress,  the  U.S.  government  cannot 
afford  to  sacrifice  security  for  enhanced  capabilities  and  features  on 
the  battlefield.  Mission  success  is  always  the  top  priority,  but  not  at  the 
cost  of  compromising  sensitive  information,  loss  of  multimillion-dollar 
assets,  or  casualties  of  soldiers.  While  a  number  of  threat  models  exist, 
they  have  not  evolved  to  effectively  evaluate  today’s  technology.  Current 
threat  models:  (1)  focus  primarily  on  software  applications,  and  don’t 
address  threats  to  the  system  in  totality— hardware,  software,  and  com¬ 
munication  network,  (2)  only  address  the  adversary  and  fail  to  address 
the  insider  threat— users  and  maintainers  of  the  system,  and  (3)  fail  to 
provide  a  threat  analysis  that  assesses  the  risk,  prioritizes  the  threats, 
and  provides  countermeasures.  The  robust  threat  model  we  propose 


Defense ARJ,  April  2015,  Vol.  22 No.  2: 240-273 


267 


A  Publication  of  the  Defense  Acquisition  University 


http://www.dau.mil 


for  the  UAV  smart  device  GCS  has  filled  the  gaps  identified  in  current 
threat  models  and  has  improved  on  existing  techniques  by  addressing 
threats  to  a  complete  UAS  (hardware,  software,  communication  net¬ 
work)  and  the  associated  human  threats.  Our  approach  also  conducts  a 
thorough  threat  analysis  by  completing  a  risk  assessment  and  provides 
countermeasures  for  the  threats  identified.  This  comprehensive  threat 
model  analysis  will  help  designers  and  users  in  the  military  and  civilian 
UAV  communities  to  understand  the  threat  profile  of  their  system  and 
to  enhance  the  security  and  operational  environment  of  the  UAV  smart 
device  GCS.  Most  importantly,  the  secured  devices  will  provide  soldiers 
with  the  secure,  enhanced  mission  capabilities  needed  to  protect  soldiers 
in  the  battlefield. 

While  this  threat  model  analysis  addresses  threats  to  military  UAV 
smart  device  GCSs,  the  enhanced  threat  model  can  also  be  used  to  assess 
Federal  Aviation  Administration  civilian  UAV  GCSs  and  industry  appli¬ 
cations  that  use  smart  devices  for  the  reception  and  sharing  of  sensitive 
information.  As  technology  continues  to  advance,  adversaries  will  con¬ 
tinue  to  alter  their  cyber  footprint.  Governments  and  industry  agencies 
must  adapt  accordingly  and  assess  threats  effectively.  Our  model  holds 
the  key  to  the  future  of  security. 
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